Crypto asset secondary service providers: Licensing and custody requirements - Consultation paper 21 March 2022 - Treasury
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Crypto asset secondary service providers: Licensing and custody requirements Consultation paper 21 March 2022
© Commonwealth of Australia 2022 This publication is available for your use under a Creative Commons Attribution 3.0 Australia licence, with the exception of the Commonwealth Coat of Arms, the Treasury logo, photographs, images, signatures and where otherwise stated. The full licence terms are available from http://creativecommons.org/licenses/by/3.0/au/legalcode. Use of Treasury material under a Creative Commons Attribution 3.0 Australia licence requires you to attribute the work (but not in any way that suggests that the Treasury endorses you or your use of the work). Provided you have not modified or transformed Treasury material in any way including, for example, by changing the Treasury text; calculating percentage changes; graphing or charting data; or deriving new statistics from published Treasury statistics — then Treasury prefers the following attribution: Source: The Australian Government the Treasury. Derivative material If you have modified or transformed Treasury material, or derived new material from those of the Treasury in any way, then Treasury prefers the following attribution: Based on The Australian Government the Treasury data. Use of the Coat of Arms The terms under which the Coat of Arms can be used are set out on the Department of the Prime Minister and Cabinet website (see www.pmc.gov.au/government/commonwealth-coat-arms). Other uses Enquiries regarding this licence and any other use of this document are welcome at: Manager Media and Speeches Unit The Treasury Langton Crescent Parkes ACT 2600 Email: media@treasury.gov.au
Contents Consultation Process .....................................................................................................................1 Request for feedback and comments ......................................................................................................1 Regulation of crypto asset secondary service providers ..................................................................2 Introduction..............................................................................................................................................2 Background...............................................................................................................................................4 Existing regulatory framework .................................................................................................................7 Proposed terminology and definitions ...................................................................................................10 Terminology changes ........................................................................................................................10 Proposed definitions .........................................................................................................................10 Proposed principles, scope and policy objectives of the new regime ...................................................12 Proposed obligations on crypto asset secondary service providers................................................16 Rationale for the proposal ................................................................................................................16 Proposed obligations.........................................................................................................................16 Financial requirements......................................................................................................................17 Prohibition on hawking or pressure selling crypto assets ................................................................17 Custody..............................................................................................................................................18 Alternative options .................................................................................................................................18 Alternative option 1: Regulating CASSPrs under the financial services regime ................................18 Alternative option 2: Self-regulation by the crypto industry ............................................................19 Proposed custody obligations to safeguard private keys ...............................................................20 Rationale for the proposal ................................................................................................................20 Proposed obligations.........................................................................................................................20 Alternate option: Industry self-regulation .............................................................................................21 Early views sought on token mapping ..........................................................................................23 Specifying classes of crypto assets ....................................................................................................23 Appendix 1 – Overview of Australian crypto asset regulation .......................................................25 Appendix 2 – Custody obligations in relation to scheme assets .....................................................28
Crypto asset secondary service providers: Licensing and custody requirements Consultation Process Request for feedback and comments Closing date for submissions: 27 May 2022 Email crypto@treasury.gov.au Director – Crypto Policy Unit Mail Financial System Division The Treasury Langton Crescent PARKES ACT 2600 Enquiries Enquiries can be initially directed to Director – Crypto Policy Unit Phone 02 6263 3416 The principles outlined in this paper have not received Government approval and are not yet law. As a consequence, this paper is merely a guide as to how the principles might operate. 1
Crypto asset secondary service providers: Licensing and custody requirements Regulation of crypto asset secondary service providers Introduction The crypto asset ecosystem has expanded rapidly in recent years, growing by 3.5 times in 2021 to US $2.6 trillion. 1 More than 800,000 Australian taxpayers have transacted in digital assets in the last three years, with a 63 per cent increase in 2021 compared with 2020. 2 This surge in retail consumer exposure to crypto assets has led to calls, including from some service providers, for additional regulation in Australia. Regulation would support consumer confidence and trust in the crypto asset ecosystem and provide regulatory certainty to support crypto businesses’ investment decisions. On 8 December 2021, the Government announced that it would consult on approaches to licencing digital currency exchanges and consider custody requirements for crypto assets, with advice to be provided to Government on policy options by mid-2022. 3 This consultation paper outlines the Government’s proposed approach to licensing crypto asset secondary service providers 4 (CASSPrs) and crypto custody requirements. The proposals in this paper recognise the growing importance of the crypto asset ecosystem to both the Australian and global economy, the need for regulatory certainty to encourage innovation and competition, and seeks to give consumers greater confidence in their dealings with CASSPrs. What is a crypto asset? A crypto asset is a digital representation of value that can be transferred, stored, or traded electronically. Crypto assets use cryptography and distributed ledger technology. Today, crypto assets have three primary uses: as an investment; as a means of exchange; and to access goods and services. Crypto assets include cryptocurrencies like BTC, Ripple and Litecoin, utility tokens like filecoin and basic attention token, and security tokens. They may run on their own Blockchain or use an existing platform like Ethereum. Crypto assets may also include non-fungible tokens (NFTs). Crypto assets are a subset of digital assets, that uses cryptographic proof to determine ownership. The crypto ecosystem is a dynamic and expansive ecosystem with many players in the primary and secondary market (Figure 1). This consultation paper considers the regulation of centralised CASSPrs who offer crypto asset custody, storage, brokering, exchange and dealing services, or operate a market in crypto assets for retail consumers. 1 Financial Stability Board, Assessment of Risks to Financial Stability from Crypto-assets, FSB, 2022, accessed 8 March 2022. 2 Australian Taxation Office (ATO). 3 This was announced in response to the Senate Select Inquiry on Australia as a Financial and Technology Innovation Centre’s Final Report (released on 20 October 2021). The first two recommendations in the report were to introduce a licensing regime for digital currency exchanges and a custody regime for entities holding digital assets on behalf of a client. 4 This is a broad term intended to capture both digital currency exchanges in Australia and other crypto asset service providers including brokers, dealers, exchanges, and crypto asset markets. The proposed definition is based on the definition of a Virtual Asset Service Provider as defined by the Financial Action Task Force. 2
Crypto asset secondary service providers: Licensing and custody requirements Figure 1: Simplified structure of the ecosystem for crypto assets (adapted from Ankenbrand et al (2021)). 5 This paper also seeks early views on how to categorise and classify crypto assets to provide more certainty to crypto asset secondary service providers, consumers, and regulators. Consistent with the Government’s response to the Senate Report, a token mapping process will be completed as a separate piece of work and finalised by the end of year. Feedback provided to this section of the paper will be considered as part of a future consultation process. The Government is keen to harness the economic benefits from the technological innovations arising from the crypto ecosystem for Australia and create a local crypto ecosystem that consumers can trust. This will need to be done while managing the risks crypto assets could present to consumers, the financial system, and the real economy. Structure of the paper This paper is structured in four parts. The first part of the paper outlines the current state of the crypto asset ecosystem, including the existing regulatory environment. The second part of the paper proposes for consideration and feedback a licensing regime for CASSPrs, establishing the potential scope and obligations on providers. The third part of the paper discusses custody obligations to safeguard private keys. The final part of the paper seeks early views on the classification of crypto assets, noting further consultation will follow on this aspect later in 2022. The Government welcomes views on each of the proposals. 5 Ankenbrand et al, Crypto Assets Study 2021 – An overview of the Swiss and Liechtenstein crypto assets ecosystem, Institute of Financial Services Zug IFZ, 2021, accessed on 17 December 2021. 3
Crypto asset secondary service providers: Licensing and custody requirements Background The emergence of a virtual economy The crypto asset industry has expanded rapidly, with consumer interest increasing commensurately. For example, in December 2021, Independent Reserve found that more than 28 per cent of Australians surveyed own crypto assets. 6 This emerging virtual economy has expanded beyond the original use case of trustless digital currency, with growth in areas as disparate as gaming, art, real estate, lending and security. Crypto assets and blockchain technology are also permeating traditional industries. For example, across the public and private sector in Australia: • ASX is replacing its Clearing House Electronic Subregister System (CHESS) with distributed ledger technology; • Australian mining company Rio Tinto used blockchain to facilitate the trade of iron ore to a foreign country; and • three of Australia’s four major banks partnered with IBM and Scentre Group to issue the first digital bank guarantee for retail property leases on blockchain earlier this year. There are also existing Government initiatives that seek to harness the benefits of innovation. Australian Government Initiatives • The Government’s Digital Economy Strategy is designed to position Australia to be a top 10 digital economy and society by 2030 through $1.2 billion of strategic investment. • The National Blockchain Roadmap 2020-2025 highlights the potential of blockchain technology across the Australian economy. • $60 million in funding to the Digital Finance Cooperative Research Centre (DFCRC). The DFCRC brings together fintech, industry, research, and regulatory stakeholders to capitalise on the financial sector transformation arising from the digitisation of assets. • The Blockchain Pilot Grants program provided $5.6 million to two blockchain projects. • The Australian Border Force has undertaken a successful blockchain trial to digitise trade processes. • Implemented an anti-money laundering and counter-terrorism (AML/CTF) framework for crypto asset secondary service providers via AUSTRAC’s digital currency exchange register. • Committed to investigating the feasibility of a central bank digital currency, the potential of Decentralised Autonomous Organisations and reviewing the taxation of digital transactions and assets. The regulatory challenge Governments internationally face the challenge of implementing appropriate consumer safeguards, while leaving room for future innovation, growth, and competition. The distributed, intangible and global nature of the crypto ecosystem makes this particularly challenging, as regulation may be difficult to enforce on large international providers delivering secondary services from overseas. Nonetheless, domestic providers may benefit from a more reliable and trustworthy crypto market here in Australia through a licencing system or an Australian stamp of quality. For this reason, many 6 Independent Reserve, Cryptocurrency Index, 2021, accessed 11 March 2022. 4
Crypto asset secondary service providers: Licensing and custody requirements industry players have called for a regulatory framework for secondary service providers (CASSPrs) to provide confidence to consumers about the services they offer and to improve the reputation and credibility of the sector. Crypto asset secondary service providers as the subject of regulation The Government considers that the most appropriate subject of regulation are the crypto asset secondary service providers. These providers interact with consumers and allow them to engage more easily and seamlessly with the crypto ecosystem. What are crypto asset secondary service providers (“CASSPrs”)? Crypto asset secondary service providers provide a range of services to allow consumers and businesses to access and use crypto assets such as: • custody and storage (where software and hardware are used to store and handle private keys); • exchange, brokerage and dealing services (where the service provider facilitates access to crypto assets); and • operating a market (facilitating peer-to-peer exchange of crypto assets). The primary risk associated with CASSPrs is the potential loss of a consumer’s assets or balance (in fiat or crypto) through the use of a providers’ facilities. This includes risks from: • operational risks including business continuity, illiquidity and inadequate capital; • insolvency and disorderly wind down; • fraud and key personnel risks; • Misleading or deceptive conduct; and • cybersecurity The failure of ACX.io The failure of an exchange can lead to significant consumer losses. ACX.io was an Australia-based digital currency exchange, registered with AUSTRAC. The exchange suspended withdrawals and deposits in early 2020 and fell into administration in 2021. Investors lost access to crypto assets and cash held at the exchange. This paper will consider secondary service providers that are centralised and serve retail investors and consumers. There is an evolving question about whether CASSPrs who deal in all crypto assets should be included in the regulatory perimeter, or whether the types of applicable crypto assets should be more narrowly defined. Current regulatory and policy landscape Financial products and services offered in Australia are generally regulated via the imposition of obligations on identifiable legal entities or intermediaries. Namely, products are regulated by imposing obligations on the sellers or distributors of the product. These intermediaries are supervised and held accountable for the products or services that they provide. 7 7 Appendix 1 provides a more substantive overview of how the existing regulatory framework may capture crypto assets. 5
Crypto asset secondary service providers: Licensing and custody requirements The emergence of crypto assets poses new challenges to the existing regulatory framework. While there are a number of regulators that oversee different aspects of the crypto asset ecosystem, there is currently no clear, holistic policy that directly regulates crypto assets or CASSPrs. Australia also places requirements on secondary service providers for anti-money laundering and counter terrorism financing purposes. These are outlined further in the next section. Regulatory objectives The Government is committed to ensuring that consumers can buy, sell, and store crypto assets using Australian CASSPrs with confidence. The Government identifies the following objectives for the proposed regulatory regime: • ensuring that regulation is fit for purpose, technology neutral and risk-focussed • creating a predictable, light touch, consistent and simple legal framework; • avoiding undue restrictions; • recognising the unique nature of crypto assets; and • harnessing the power of the private sector The proposed licensing regime would provide a framework for minimum standards of conduct, including for custody of private keys and the suitability of key persons to be operating secondary service provider businesses (through fit and proper person tests). These changes will provide regulatory clarity and give confidence to both consumers and businesses, encouraging investment and innovation in the local crypto ecosystem. 6
Crypto asset secondary service providers: Licensing and custody requirements Existing regulatory framework The existing regulatory framework is composed of a patchwork of principles-based obligations drawn from other parts of Australian law – the Corporations Act 2001 (Corporations Act), Anti-Money Laundering and Counter-Terrorism Financing Act 2006, and the Competition and Consumer Act 2010. Existing regulation Crypto assets Currently, the regulatory treatment of a given crypto asset depends on the way in which it is classified. A key question is whether the crypto asset is a financial product. If it is a financial product, it is regulated by the Australian Securities and Investment Commission (ASIC) under the Corporations Act and the Australian Securities and Investment Commission Act 2001 (ASIC Act). If it is not a financial product, then it is considered a consumer product and is regulated by the Australian Competition and Consumer Commission (ACCC) under the Australian Consumer Law. Whether a crypto asset is considered a financial product depends on its use, as primarily defined in section 763A of the Corporations Act. The current definition of a financial product, which was written prior to the invention and proliferation of crypto assets, does not provide sufficient clarity as to the intended regulatory treatment of a wide variety of novel crypto assets. Industry has reported difficulty in determining whether the financial products and services regime or the consumer law regime applies to their products. Further detail on the current law is provided in Appendix 1. Crypto assets that meet the definition of financial products in the Corporations Act are subject to a range of regulatory obligations including disclosure requirements and, for financial products traded on financial markets, prohibitions on market manipulation. Crypto asset secondary service providers CASSPrs provide access to crypto assets in a variety of ways, through an exchange, brokerage services, or by dealing directly with retail consumers. A subset of CASSPrs that exchange fiat currency to crypto assets are subject to limited, principles-based regulation in Australia as digital currency exchanges. Since 2018, AUSTRAC has been registering digital currency exchanges for AML/CTF purposes. This means that digital currency exchanges that have a geographical link to Australia must register with AUSTRAC and meet AML/CTF compliance and reporting obligations, including Know Your Customer (KYC) requirements and ongoing due diligence. Prohibitions against misleading or deceptive conduct along with other consumer protections also apply under the Australian Consumer Law and the ASIC Act. Custody of crypto assets In Australia, there are two circumstances where there are mandatory minimum requirements for the safekeeping and administration of assets. These minimum requirements seek to prevent and mitigate instances where the assets may be subject to loss or theft and can cover crypto assets held in the relevant circumstances. The two circumstances where minimum custody requirements apply are: • the safekeeping of scheme property under the Corporations Act. 8 These minimum requirements apply to responsible entities or their custodians who safekeep scheme property. The responsible entity remains responsible for all scheme property held by an external 8 The requirements are imposed on the responsible entity or custodian, via the responsible entity, through ASIC class order (see ASIC Class Order 13/1409 and ASIC Regulatory Guide 133). 7
Crypto asset secondary service providers: Licensing and custody requirements custodian. Crypto assets held as scheme property benefit from these minimum requirements; and • the safekeeping of financial products under the Corporations Act by custodians (as custodial or depository service providers). 9 Crypto assets that are financial products would benefit from these minimum requirements. ASIC has also outlined good practices for responsible entities in relation to safekeeping crypto assets as part of the operation of a registered scheme that account for the unique characteristics of crypto assets (see Appendix 2). Actual and perceived regulatory gaps The absence of specific regulation for crypto assets and their associated service providers has led to actual and perceived regulatory gaps. Challenges classifying crypto assets as financial products or non-financial products Crypto assets can be programmed to provide a large variety of different rights and features and have a significant number of expanding and novel use cases. This makes classification complex and uncertain – especially when consumers, industry and regulators are attempting to identify whether it should be treated as a financial product. Counterparty risks associated with using crypto as a store of value or investment The significant increase in the price of crypto assets has led many retail consumers to seek exposure to crypto assets as investments through various secondary service providers. These consumers have had limited recourse in the event of operational, cybersecurity or financial failures of these secondary service provides. For example, as early as 2014, Mt Gox - a widely-used crypto asset trading platform at the time - collapsed when US$450 million of bitcoin was stolen in a cyber-attack. Since then, many crypto asset trading platforms have suffered cyber-attacks and losses, with many of these attacks resulting in the secondary service provider becoming insolvent. Perception that similar services are regulated in a similar way Crypto asset secondary service providers may appear to consumers to provide similar services to financial services licensees. Therefore, consumers may be under the impression that the service providers are subject to similar regulatory oversight. For example: • digital currency exchanges can operate in a similar way to regulated financial markets. They provide a forum for buyers and sellers to meet and transact, often by use of an order book matching system operating on price-time priority; • independent crypto asset brokers may arrange for consumer orders to be completed through a third-party market or exchange; and • some entities may operate as dealers, buying crypto assets directly from, or selling crypto assets directly to, customers. Protecting the community from criminal enterprises and fraud At present, digital currency exchanges providing services to exchange fiat money for crypto assets and vice versa, are subject to AUSTRAC registration to ensure consideration of the money laundering 9 The requirements are imposed on custodian, through ASIC class order (see ASIC Class Order 13/1410 and ASIC Regulatory Guide 133). 8
Crypto asset secondary service providers: Licensing and custody requirements and terrorism financing risks presented by a business. However, owners, directors and managers of crypto asset secondary service provider businesses are not currently subject to fit and proper person checks or other tests of good character and propriety. 9
Crypto asset secondary service providers: Licensing and custody requirements Proposed terminology and definitions Terminology changes While the Senate Select Committee used the term ‘digital currency exchange’, the Government considers a more suitable, precise term to be a Crypto Asset Secondary Service Provider or “CASSPr”. Exchanges are only a subset of entities that provide services to consumers within the crypto asset ecosystem. There are many other relevant secondary service providers, including brokerage services, dealers, and custody services. Consultation questions To help inform consideration of a licensing regime for CASSPrs, the Government seeks stakeholder feedback on the following questions: 1. Do you agree with the use of the term Crypto Asset Secondary Service Provider (CASSPr) instead of ‘digital currency exchange’? 2. Are there alternative terms which would better capture the functions and entities outlined above? Proposed definitions “Crypto asset secondary service provider” is defined for the purposes of this paper as follows: Any natural or legal person who, as a business, conducts one or more of the following activities or operations for or on behalf of another natural or legal person: i. exchange between crypto assets and fiat currencies; ii. exchange between one or more forms of crypto assets; iii. transfer of crypto assets; iv. safekeeping and/or administration of virtual assets or instruments enabling control over crypto assets; and v. participation in and provision of financial services related to an issuer’s offer and/or sale of a crypto asset.10 A “crypto asset” is defined by ASIC as: “…a digital representation of value or contractual rights that can be transferred, stored or traded electronically, and whose ownership is either determined or otherwise substantially affected by a cryptographic proof.” 11 It is proposed that one definition of crypto assets would be applied across all Australian regulatory frameworks. This definition will capture all possible crypto assets that may be subject to the AML/CTF regime, tax, financial and other regulation in Australia. Consultation questions 3. Is the above definition of crypto asset precise and appropriate? If not, please provide alternative suggestions or amendments. 4. Do you agree with the proposal that one definition for crypto assets be developed to apply across all Australian regulatory frameworks? 10 Financial Action Task Force, Updated Guidance for a Risk Based Approach for Virtual Assets and Virtual Asset Service Providers, FATF, 2021, accessed on 3 February 2022. 11 Australian Securities and Investment Commission, Consultation Paper 343 - Crypto-assets as underlying assets for ETPs and other investment products, ASIC, 2021, accessed 1 March 2022. 10
Crypto asset secondary service providers: Licensing and custody requirements 5. Should CASSPrs who provide services for all types of crypto assets be included in the licencing regime, or should specific types of crypto assets be carved out (e.g. NFTs)? 11
Crypto asset secondary service providers: Licensing and custody requirements Proposed principles, scope and policy objectives of the new regime Nature of crypto assets and implications for regulation This paper presents two foundational principles for the regulation of crypto assets. First and foremost, products and services should be regulated according to the risks they could present. Products that use new technologies which reduce risk should be subject to different and lighter regulation than existing products, even if they provide the same service to the consumer. In short, how crypto assets are regulated should be considered in light of any potential risks, or lack thereof. In particular, crypto assets are distinct in character from financial products and are affected by different market dynamics, with features that create different risks and market failures. Secondly, any regulation should be technology neutral. The Financial System Inquiry Final Report noted that “[p]olicy settings should seek to encourage innovation by being technologically and competitively neutral in design.” 12 In other words, the regulatory approach should seek to ‘look through’ the technology and apply regulation consistently, based on the risks associated with the subject of the regulation. Given this, the use of any technology or ‘tokenisation’ of an asset in general does not automatically dictate the regulatory treatment of an asset. For example, the process of ‘tokenisation’ of an asset by putting it on-chain should not make an asset a financial product per se. If a crypto asset is a representation of, or connected with, an underlying product, service, or asset, then the regime that already applies to the underlying product, service, or asset should apply as far as practical. The token mapping exercise to be completed by end of 2022 will provide further clarity as to how crypto assets are classified on a risk-based and technology agnostic basis. Rationale for the proposal Some industry participants and commentators have suggested that crypto assets ought to be regulated as financial products under the Corporations Act. However, the principles for regulating crypto assets are not identical to those behind financial product regulation and should not be treated as such. This is a separate consideration to whether an existing crypto asset fits into the current definition of financial products under the Corporations Act. This paper therefore revisits the reasons why financial products are regulated in Australia (i.e. what problems does regulation aim to solve) and the extent to which those problems are the same as those created by crypto assets. The reasons for regulation of financial products While all commercial products and transactions in Australia are regulated in some way through economy wide obligations such as the prohibitions against misleading or deceptive conduct in the Australian Consumer Law, products that meet the definition of a financial product have additional oversight and obligations, including around disclosure and redress. This higher standard of regulation reflects a number of factors, particularly the importance of the financial system to the economy, the complexity of financial products for individuals, and the potential risks to consumers. Financial products are the means through which consumers allocate their savings, and the means through which capital is allocated in the economy. They are also intangible and may be complex. 12 The Australian Government the Treasury, Financial System Inquiry Final Report, The Treasury, 2014, accessed 18 March 2022. 12
Crypto asset secondary service providers: Licensing and custody requirements Beyond this, there have traditionally been two primary justifications for the regulation of financial products: trust, and asymmetric information. When a person purchases a financial product, they enter a contract that is a trust-based relationship. The product issuer promises to deliver the financial product in line with the terms of the contract (e.g. that the bond will pay 5 per cent for 10 years). Part of the role of financial regulation is to provide some confidence to consumers and businesses that the promises made by entities in the financial system will be kept. This not only encourages consumers to engage with the financial system, but also to make investments, take on risk and make other worthwhile economic transactions. There may also be a degree of asymmetric information during the transaction. An issuer of a financial product typically knows more about the product than the buyer, and may not make this information available to the buyer. For this reason, regulation mandates disclosures (e.g. Product Disclosure Statements). Crypto assets are distinct On the other hand, with respect to crypto assets, there may not be a conventional issuer or seller, and the relationship between the buyer and the seller can be trustless. 13 A crypto asset will do what it is programmed to – mathematically – and in a distributed network changing this programming is at least challenging and at best impossible. Similarly, there is no requirement to trust a central authority to arbitrate transactions. Lastly, on open blockchains, information is visible – it is permissionless and transparent. Key market failures intrinsic to financial products are not necessarily intrinsic to crypto assets. This means that much of the need for regulatory recourse that may be required for financial products does not necessarily exist for many crypto assets. In sum, notwithstanding that the use case of any given financial product and crypto asset may be similar, the regulation of the two should be separate and distinct as they do not present the same potential risks. This does not mean that all crypto related-assets are trustless – those that involve a connection with a conventional good or service, for example (such as delivery of a physical product or provision of a service by a counterparty) – still require trust. Similarly, traditional financial products that employ elements of crypto technology but present similar risks to a traditional product – a tokenised bond, for instance, or conversely, a bitcoin future – are still likely to be considered part of the financial products regime. This adds support to the argument for “looking through” the technology and focussing on the underlying asset rather applying regulation to the comparatively trustless crypto asset technology. Crypto asset secondary service providers However, there is a distinction between issuers of crypto assets and the service providers who facilitate consumer access to them. The introduction of secondary service providers and centralised systems actors introduces risk, and a requirement for trust. This leads to a need for regulation of secondary service providers. Moreover, the risk of consumer detriment when dealing with crypto asset service providers is relatively high and the quality of the service may be hard to gauge before purchase. There have been a number of high-profile crypto currency exchange failures. Most recently, the failure of Australian exchange MyCryptoWallet led many investors to lose their funds that were stored on exchange. 13 There is an ongoing debate as to the true “trustlessness” of crypto assets. The point remains that crypto assets require an order of magnitude less trust than other assets including financial products and should thus be considered differently. 13
Crypto asset secondary service providers: Licensing and custody requirements When transacting with MyCryptoWallet, investors who had not moved their funds to a cold wallet had taken on counterparty risk and been left with potential losses when the counterparty failed. Industry has also called for regulation, arguing that a licencing regime for CASSPrs would provide regulatory clarity and help signal to consumers which operators meet certain minimum standards. The government supports regulation that encourages the growth of a thriving, legitimate, regulated industry of CASSPrs. This paper proposes to regulate CASSPrs who: • provide retail consumers access to non-financial product crypto assets; • provide safekeeping, custody, or storage of all crypto assets on behalf of a consumer; and • are captured by the Financial Action Task Force's definition of a Virtual Asset Service Provider for anti-money laundering and counter terrorism financing reasons. Policy objectives This paper proposes the following policy objectives to underpin a licensing regime for CASSPrs: • minimise the risks to consumers from the operational, custodial, and financial risks facing the use of CASSPrs. This will be achieved through mandating minimum standards of conduct for business operations and for dealing with retail consumers to act as policy guardrails; • support the AML/CTF regime and protect the community from the harms arising from criminals and their associates owning or controlling CASSPrs; and • provide regulatory certainty about the policy treatment of crypto assets and CASSPrs, and provide a signal to consumers to differentiate between high quality, operationally sound businesses, and those who are not. Consultation questions 6. Do you see these policy objectives as appropriate? 7. Are there policy objectives that should be expanded on, or others that should be included? Crypto assets covered by the proposed licensing regime For entities providing retail consumers with access to crypto assets which are not financial products, this paper proposes a tailored licensing framework, as set out below. 14 The proposed licensing regime will apply to: • all secondary service providers who operate as brokers, dealers, or operate a market for crypto assets, and • all secondary service providers who offer custodial services in relation to crypto assets. This regime would not apply to decentralised platforms or protocols. Feedback is sought on the bounds of the licensing regime, in particular whether CASSPrs that provide services for all non-financial product crypto assets should be included, or if particular types should be included or excluded. To the extent entities provide a service in respect of a crypto asset which meets the definition of financial product, they will need to comply with the existing relevant regulatory regimes. However, to avoid regulatory duplication this policy proposal also intends, as far as practicable, to ensure that providers are not subject to multiple regulatory regimes (e.g. having an Australian financial services (AFS) Licence or an Australian market licence, as well as a CASSPr licence). 14 If a crypto asset is a financial product, then CASSPrs needs to comply with the financial services regime. 14
Crypto asset secondary service providers: Licensing and custody requirements ASIC would administer this proposed regime. Existing obligations under the Australian Consumer Laws will continue to apply as appropriate. Interaction with existing AML/CTF regime The existing regulation of AML/CTF administered by AUSTRAC is well known and understood. AUSTRAC will remain the AML/CTF supervisor for CASSPrs that provide designated services under the AML/CTF Act. However, to achieve regulatory efficiencies and minimise duplication, consideration will be given to how the existing AUSTRAC registration requirements may be integrated with the new regulatory model proposed in this paper. A licensing framework with robust fitness and propriety checks that ensure that criminals and their associates are kept out of the sector could fulfil the purpose of AUSTRAC’s existing registration framework. Consultation questions 8. Do you agree with the proposed scope detailed above? 9. Should CASSPrs that engage with any crypto assets be required to be licenced, or should the requirement be specific to subsets of crypto assets? For example, how should the regime treat non-fungible token (NFT) platforms? 10. How do we best minimise regulatory duplication and ensure that as far as possible CASSPrs are not simultaneously subject to other regulatory regimes (e.g. in financial services)? 15
Crypto asset secondary service providers: Licensing and custody requirements Proposed obligations on crypto asset secondary service providers This proposal would implement a CASSPr licensing regime which would be separate from the AFS licensing regime (Alternative option 1 below adopts this approach). Most of the entities providing access to crypto assets also provide custodial services. These entities would need to comply with the custodial obligations proposed in this consultation paper, or, if they outsource custody to a third party, ensure that these entities comply with the custody obligations. There would only be one licence type for CASSPrs who facilitate the buying and selling of crypto assets (exchanges, dealers, brokers) and custodians but the obligations would be graduated depending on the number and type of services offered by the CASSPrs. The obligations would be administered in a flexible manner with the aim of ensuring that industry participants behave with honesty, fairness, integrity, and competence while keeping a simple, consistent and efficient regulatory approach. Rationale for the proposal Consumers are currently exposed to significant financial and operational risks, including custody risks, when engaging with CASSPrs. For example, a consumer’s crypto assets and money may be at risk in insolvency proceedings if their service provider becomes insolvent. These obligations aim to minimise consumers’ exposure to these risks. More generally, the proposed regime will provide industry with regulatory certainty as the crypto ecosystem and virtual economy continue to evolve. Proposed obligations This regime would impose the following obligations on CASSPrs: (1) do all things necessary to ensure that: the services covered by the licence are provided efficiently, honestly and fairly; and any market for crypto assets is operated in a fair, transparent and orderly manner; (2) maintain adequate technological, and financial resources to provide services and manage risks, including by complying with the custody standards proposed in this consultation paper; (3) have adequate dispute resolution arrangements in place, including internal and external dispute resolution arrangements; (4) ensure directors and key persons responsible for operations are fit and proper persons and are clearly identified; (5) maintain minimum financial requirements including capital requirements; (6) comply with client money obligations; (7) comply with all relevant Australian laws; (8) take reasonable steps to ensure that the crypto assets it provides access to are “true to label” e.g. that a product is not falsely described as a crypto asset, or that crypto assets are not misrepresented or described in a way that is intended to mislead (9) respond in a timely manner to ensure scams are not sold through their platform; (10) not hawk specific crypto assets; (11) be regularly audited by independent auditors; 16
Crypto asset secondary service providers: Licensing and custody requirements (12) comply with AML/CTF provisions (including a breach of these provisions being grounds for a licence cancellation); and (13) maintain adequate custody arrangements as proposed in the next section. The first seven obligations are similar to obligations that are applied under the financial services regime and go towards ensuring minimum standards of conduct and operational resilience. ASIC would be empowered to grant relief from some or all the obligations if warranted, on a case-by-case basis to ensure the regime remains agile and flexible. More work will be needed to define the scope and application of these obligations if they are implemented in legislation along with the necessary powers needed for the regulator e.g. to grant, vary and cancel licences. Regulatory guidance would supplement the law to provide additional clarity about the application of obligations. The regime would likely rely on similar supervisory and enforcement mechanisms to the AFS licensing regime. For example, compulsory information gathering powers, civil and criminal penalty provisions. More information on the financial requirements, hawking prohibition and custody requirements are outlined below. Consultation questions 11. Are the proposed obligations appropriate? Are there any others that ought to apply? 12. Should there be a ban on CASSPrs airdropping crypto assets through the services they provide? 13. Should there be a ban on not providing advice which takes into account a person’s personal circumstances in respect of crypto assets available on a licensee’s platform or service? That is, should the CASSPrs be prohibited from influencing a person in a manner which would constitute the provision of personal advice if it were in respect of a financial product (instead of a crypto asset)? 14. If you are a CASSPr, what do you estimate the cost of implementing this proposal to be? Financial requirements Adequate financial requirements would be specified by ASIC and would depend on the services provided and volume of transactions. Stronger financial requirements would be imposed on CASSPrs that maintain custody of private keys. The objective of the requirement is to ensure that entities who provide custody and other services: 1. have sufficient financial resources to conduct their business; 2. have a financial buffer that decreases the risk of a disorderly or non-compliant wind-up if the business fails; and 3. there are financial disincentives in place for owners if obligations are not complied with. Prohibition on hawking or pressure selling crypto assets Under the proposed hawking prohibition, a CASSPr must not, in the course of an unsolicited contact with a retail consumer: • offer specific crypto assets for sale; or • request or invite a consumer to ask for crypto assets offered through the service. 17
Crypto asset secondary service providers: Licensing and custody requirements Unsolicited contact is contact that takes place in real time to which the consumer did not consent. The objective of this proposed prohibition is for consumers to have control over their decisions to purchase crypto assets and not be subject to aggressive selling tactics by CASSPrs in relation to the crypto assets they offer through their service. The hawking prohibition would not generally apply to advertising or the mere provision of information. Custody Custody of client assets is a core part of the business model of most CASSPrs, including those that operate a market for crypto assets. It is important that CASSPrs meet minimum standards for safeguarding private keys of crypto assets, or to ensure that the entity they outsource this responsibility to meets these standards. The proposed custody standards are set out in the next section of the paper. These obligations would aim to protect both crypto and non-crypto client assets from the insolvency of a service provider, and thereby support consumer confidence when dealing with industry. Proposed custody requirements will be further outlined in the next section of this paper. Alternative options This paper also seeks views on the following alternate options. Alternative option 1: Regulating CASSPrs under the financial services regime Under this option, all crypto assets could be brought into the existing financial services regime by defining crypto assets as financial products under section 764A of the Corporations Act and the financial services regime tailored to achieve the appropriate outcomes for crypto assets. The Government (or the regulator) could be provided with powers to exempt or “carve out” particular crypto assets which do not warrant regulation under the financial services regime in a risk-based manner. Under this option CASSPrs that provide a trading venue would be subject to the Australian market licensing regime. Entities operating as brokers – by forwarding clients’ orders to a third-party exchange for execution – would be licensed under the AFS licensing regime and comply with the associated obligations. Other entities would need to comply with the relevant obligations under financial services regimes. There is flexibility in how this option could be implemented. For example, the Government could tailor the financial services regime to apply differently to different products or services. For example, basic banking products are subject to less onerous requirements than derivatives. This approach could lead to a delay before new crypto assets could be excluded from the regime, which may impede innovation. Some CASSPrs would be subject to much higher financial requirements (for instance under the market licence), as well as navigating compliance with numerous parts of the regime. Consultation questions 15. Do you support bringing all crypto assets into the financial product regulatory regime? What benefits or drawbacks would this option present compared to other options in this paper? 16. If you are a CASSPr, what do you estimate the cost of implementing this proposal to be? 18
Crypto asset secondary service providers: Licensing and custody requirements Alternative option 2: Self-regulation by the crypto industry Under this option, industry would develop a code of conduct for crypto asset services. This could be approved by a regulator and meet minimum regulatory policy goals similar to those proposed above – such as in respect of consumer protection and AML/CTF. The ‘Global Digital Finance Principles for Token Trading Platforms’ 15 and Blockchain Australia’s ‘Australian Digital Currency Code of Conduct’ 16 provide useful starting points for a voluntary code of conduct. The existing regulatory regime for AML/CTF obligations would continue to apply. This approach is closer to the US and UK, who do not specifically regulate crypto assets (excluding for AML/CTF) unless they are securities or financial products. Both jurisdictions are considering additional obligations for crypto assets. Consultation questions 17. Do you support this approach instead of the proposed licensing regime? If you do support a voluntary code of conduct, should they be enforceable by an external dispute resolution body? Are the principles outlined in the codes above appropriate for adoption in Australia? 18. If you are a CASSPr, what do you estimate the cost and benefits of implementing this proposal would be? Please quantify monetary amounts where possible to aid the regulatory impact assessment process. 15 Global Digital Finance, A Code of Conduct Principles for Token Trading Platforms, GDF, 2019, accessed 1 March 2022. 16 Blockchain Australia, Code of Conduct, BA, 2021, accessed 1 March 2022. 19
Crypto asset secondary service providers: Licensing and custody requirements Proposed custody obligations to safeguard private keys This proposal would implement mandatory minimum, principles-based custody obligations for private-keys that are held or stored by CASSPrs on behalf of consumers. The CASSPr that has the direct relationship with the consumer would be liable for the safekeeping of all crypto asset private keys in its care (whether the storage of the private keys are outsourced to a third-party custodian or not). Rationale for the proposal Consumers who access crypto assets through CASSPrs often rely on their service provider to maintain custody of their crypto assets (i.e. safeguard their private keys). This exposes consumers to the custody risks facing their service providers. Consumers do not have control over the day-to-day actions of CASSPrs and are not well-placed to assess the security and resilience of their service providers’ custody arrangements. The security of private keys to prevent unauthorised access (both online and offline) of crypto assets is of critical importance. Private keys are necessary to sign transactions that assign crypto assets to new addresses. If private keys are compromised, unauthorised parties can use them to transfer the crypto assets to addresses (and parties) that are outside the control of the owner of the crypto assets. Minimum custody standards can ensure that service providers manage the custody risks facing their clients’ holdings, and in so doing support consumer confidence. A proposal for requiring minimum standards for the safe custody of crypto assets by CASSPrs is set out below. Proposed obligations The proposal is to apply mandatory, principles-based obligations to CASSPrs who maintain custody (either themselves or via third parties) of crypto assets on behalf of consumers. These proposed obligations would include: (1) holding assets on trust for the consumer; (2) ensuring that consumers’ assets are appropriately segregated; (3) maintain minimum financial requirements including capital requirements; (4) ensuring that the custodian of private keys has the requisite expertise and infrastructure; (5) private keys used to access the consumer's crypto assets must generated and stored in a way that minimises the risk of loss and unauthorised access; (6) adopt signing approaches that minimise ‘single point of failure’ risk; (7) robust cyber and physical security practices; (8) independent verification of cybersecurity practices; (9) processes for redress and compensation in the event that crypto assets held in custody are lost; (10) when a third-party custodian is used, that CASSPrs have the appropriate competencies to assess the custodian’s compliance necessary requirements; and 20
Crypto asset secondary service providers: Licensing and custody requirements (11) any third-party custodians have robust systems and practices for the receipt, validation, review, reporting and execution of instructions from the CASSPr. These principles-based obligations are designed to afford consumers necessary protections in relation to custody, whilst not restricting custodians to specific technology or prescribed requirements that evolve over time. They will also be applied in a manner that is proportionate to the nature, scale, and complexity of each custodian’s operations. Consultation questions 19. Are there any proposed obligations that are not appropriate in relation to the custody of crypto assets? 20. Are there any additional obligations that need to be imposed in relation to the custody of crypto assets that are not identified above? 21. There are no specific domestic location requirements for custodians. Do you think this is something that needs to be mandated? If so, what would this requirement consist of? 22. Are the principles detailed above sufficient to appropriately safekeep client crypto assets? 23. Should further standards be prescribed? If so, please provide details 24. If you are a CASSPr, what do you estimate the cost of implementing this proposal to be? Alternate option: Industry self-regulation Alternatively, industry could take responsibility for maintaining minimum standards and expectations that are used by crypto custodians. In Australia and abroad there are industry associations for blockchain or distributed ledger technology businesses, with some adopting codes of conduct and best-practice standards of conduct for businesses operating in the crypto asset industry. When organisations are compliant or adopt these codes, they can be certified by their industry body which publicly signals compliance with minimum standards for the custody of crypto assets. An example of such a code is the Global Digital Finance – Code of Conduct Part VIII(i) – Principles for Custody – “Custodial Wallets”. This option would rely on industry working collaboratively and self-regulating crypto asset custodians according to the codes or standards that are created by industry. An industry code may look to include principles or specific requirements for how businesses manage consumer protection, levels of insurance, technical standards and other key considerations as determined by industry. Advantages of this option include that industry participants will have the flexibility and limited regulatory barriers that could foster or encourage the growth of new and innovative blockchain or technology businesses in Australia. This option may mean that the industry does not receive the certainty or clarity of a regulatory framework that allows for forward planning and investment in people, infrastructure and technology. In addition, some market participants may not adopt the code or maintain the standards most industry members adopt, which can offset some of the confidence that is built through the effort of other organisations. The existing regulatory regime for AML/CTF obligations would continue to apply, as self-regulation cannot be extended for AML/CTF purposes. While several countries have established licensing requirements for custody services, including Germany and Greece, there are jurisdictions such as Japan which was the first country to create 21
You can also read